PaulDotCom mailing list archives
Droping a VM during pentesting
From: jsawyer at ufl.edu (John Sawyer)
Date: Tue, 10 Mar 2009 11:46:56 -0400
This is an interesting approach. It's like a virtualized dropbox minus the hardware investment. I think you're right about the antivirus detection. Since the tools would be contained within a VM, they should stay hidden from antivirus making detection more difficult. Detecting big changes in disk space might alert to something suspicious depending on the size of the VM, but I don't know how many, if any, IT shops that do that for client machines. It could be deployed via USB thumb drive, though depending on the size of the VM, it might be slow copying a couple of gigs to the victim. Or, if you pop it remotely and has SYSTEM privs, a small, easy-to- deploy package could be pushed via meterpreter or similar. Several years ago, Microsoft and the University of Michigan created something similar but more evil called subvirt that modified the boot process and inserted a rootkitted hypervisor thereby subverting the entire victim OS. As far as I know, they never released a working example but there were some papers and I think a presentation at BH. Google the following for more info on the subvirt research. microsoft michigan rootkit hypervisor -jhs On Mar 10, 2009, at 10:20 AM, Jim Halfpenny wrote:
Hi all, I've spent a few cycles thinking about the idea from a previous of installing a virtual machine as a drop-box and I just wanted to dump my ideas and get some feedback. It has some distinct The idea is to install virtualisation software and a virtual machine on a target system for example by gaining physical access or by abusing autorun on a removable medium. Being a VM may shield it from anti-malware scanners so nefarious tools can be loaded an run on the target without detection. One possible stack to use would be Qemu and a damn small Linux derivative. It would be self contained and easy to install and remove and not require any changes to the networking on the host system. Once installed I would envision that the VM would perform reconnaissance against the target network and deliver the data over a covert channel. What do you think? Ideas and suggestions most welcome. Jim _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090310/c24a9c30/attachment.htm
Current thread:
- Droping a VM during pentesting Jim Halfpenny (Mar 10)
- Droping a VM during pentesting Robin Wood (Mar 10)
- Droping a VM during pentesting Jim Halfpenny (Mar 10)
- Droping a VM during pentesting John Sawyer (Mar 10)
- Droping a VM during pentesting johnemiller at gmail.com (Mar 10)
- Droping a VM during pentesting Jim Halfpenny (Mar 10)
- Droping a VM during pentesting johnemiller at gmail.com (Mar 10)
- Droping a VM during pentesting Robin Wood (Mar 10)